topic How to edit my search to display individual event counts for each sourcetype? in Splunk Search https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225720#M66571 <P>I have the following search and it works pretty well, however I need to see the event counts for each of the sourcetypes individually not as total count. </P> <PRE><CODE>index=windows (splunk_server=* OR splunk_server=*) OR (sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System") | chart count values(sourcetype) as index by splunk_server | table splunk_server index count | rename splunk_server TO abc-host | rename index TO Log-Type </CODE></PRE> Tue, 10 Jan 2017 18:05:23 GMT bluemarvel 2017-01-10T18:05:23Z How to edit my search to display individual event counts for each sourcetype? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225720#M66571 <P>I have the following search and it works pretty well, however I need to see the event counts for each of the sourcetypes individually not as total count. </P> <PRE><CODE>index=windows (splunk_server=* OR splunk_server=*) OR (sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System") | chart count values(sourcetype) as index by splunk_server | table splunk_server index count | rename splunk_server TO abc-host | rename index TO Log-Type </CODE></PRE> Tue, 10 Jan 2017 18:05:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225720#M66571 bluemarvel 2017-01-10T18:05:23Z Re: How to edit my search to display individual event counts for each sourcetype? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225721#M66572 <P>If I understood the original intention of you search filter, using <CODE>tstats</CODE> will be faster.</P> <PRE><CODE>| tstats count where index=windows OR (sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:System") by index sourcetype splunk_server | table sourcetype splunk_server index count | rename splunk_server TO abc-host | rename index TO Log-Type </CODE></PRE> Tue, 10 Jan 2017 18:15:37 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225721#M66572 rjthibod 2017-01-10T18:15:37Z Re: How to edit my search to display individual event counts for each sourcetype? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225722#M66573 <P>@bluemarvel, did my answer give you what you needed? </P> Thu, 12 Jan 2017 18:48:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225722#M66573 rjthibod 2017-01-12T18:48:53Z Re: How to edit my search to display individual event counts for each sourcetype? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225723#M66574 <P>not exactly ----the query gives me a total count of for all of the sources combined , I would like to see totals of each individually<BR /> total :135014<BR /> MSAD:NT6:DNS-Health<BR /> MSAD:NT6:DNS-Zone-Information<BR /> MSAD:NT6:Health<BR /> MSAD:NT6:Netlogon<BR /> MSAD:NT6:Replication<BR /> MSAD:NT6:SiteInfo<BR /> WinEventLog:DNS-Server<BR /> WinEventLog:Directory-Service<BR /> WindowsUpdateLog</P> Thu, 12 Jan 2017 22:41:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225723#M66574 bluemarvel 2017-01-12T22:41:46Z Re: How to edit my search to display individual event counts for each sourcetype? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225724#M66575 <P>I think I am missing something. The query I provided should give you a table with the total count of events per index, sourcetype, and server. For example, here is my own data using my query (I MD5'ed my host field). If this was your data, what field am I missing or what is out of place, because your last response does not clarify the request for me. Sorry.</P> <PRE><CODE> sourcetype abc-host Log-Type count WinEventLog:Application f6a667... wineventlog 140 WinEventLog:Security f6a667... wineventlog 169 WinEventLog:System f6a667... wineventlog 611 </CODE></PRE> Thu, 12 Jan 2017 23:31:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225724#M66575 rjthibod 2017-01-12T23:31:31Z Re: How to edit my search to display individual event counts for each sourcetype? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225725#M66576 <P>yes, it did thank you, had to re-arrange some things </P> Fri, 13 Jan 2017 16:02:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225725#M66576 bluemarvel 2017-01-13T16:02:33Z Re: How to edit my search to display individual event counts for each sourcetype? https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225726#M66577 <P>Glad to hear it was straightened out.</P> Fri, 13 Jan 2017 16:17:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-edit-my-search-to-display-individual-event-counts-for/m-p/225726#M66577 rjthibod 2017-01-13T16:17:58Z